Critical Unauthenticated Remote Code Execution Vulnerability Found in Erlang/OTP SSH

A newly disclosed critical vulnerability in the Erlang/OTP SSH implementation has triggered widespread concern across the cybersecurity community. Identified as CVE-2025-32433, the flaw enables unauthenticated remote code execution (RCE) and affects a large number of systems relying on Erlang/OTP for secure remote communication. With public exploit code now available, organizations are being urged to take immediate remediation steps.

Vulnerability Summary

The issue arises from a defect in the way the Erlang/OTP SSH server handles protocol messages during the initial connection phase. An attacker can exploit this flaw by sending specially crafted messages before authentication is completed. This bypass allows for the execution of arbitrary code on the target system, potentially with high-level privileges if the SSH service is running with elevated access.

The vulnerability is rated with a CVSSv3 base score of 10.0, the highest possible severity level, due to its ease of exploitation and potential impact.

Affected Systems

The vulnerability affects all applications and services that utilize Erlang/OTP’s SSH implementation, including custom systems and popular platforms such as RabbitMQ and Elixir applications. Any deployment exposing the Erlang/OTP SSH server to a network is considered vulnerable.

Impacted versions:

• OTP 27.3.2 and earlier

• OTP 26.2.5.10 and earlier

• OTP 25.3.2.19 and earlier

Security Impact

Successful exploitation of this vulnerability allows a remote attacker with network access to:

• Gain full control over the system without authentication

• Execute arbitrary commands

• Access or modify sensitive data

• Deploy malicious software

• Disrupt services through denial-of-service attacks

The risk is significantly higher if the SSH daemon runs with administrative or root privileges.

Remediation and Workarounds

The Erlang/OTP development team has issued security patches addressing the vulnerability. All users running affected versions should upgrade immediately.

Patched versions:

• OTP 27.3.3

• OTP 26.2.5.11

• OTP 25.3.2.20

Recommended actions:

• Upgrade Erlang/OTP to a patched version without delay

• Apply strict firewall rules to limit SSH access to trusted sources

• Disable the Erlang/OTP SSH service temporarily if it is not essential

• Monitor systems for unusual activity and signs of exploitation

An official advisory with technical details and mitigation guidance is available through the Erlang/OTP GitHub repository.

Current Risk Landscape

With a proof-of-concept exploit publicly released, the window for safe remediation is closing. Attackers are expected to actively target vulnerable systems in the coming days and weeks. This vulnerability affects core infrastructure across telecommunications, IoT, and distributed environments, raising the potential for widespread abuse if left unpatched.

CVE-2025-32433 highlights the critical importance of maintaining up-to-date dependencies and reviewing exposure of services to the public internet. Systems using Erlang/OTP for SSH communication should be treated as high-risk until properly updated. Immediate action is required to prevent potential breaches or service disruptions.

Organizations are strongly encouraged to patch affected systems now, implement appropriate access controls, and perform a full audit of their infrastructure to ensure security against this threat.